Error an unknown error occurred while processing the certificate

I have a self-signed certificate and i would like to use it on my websockets server to handle requests from wss://localhost:443. I connect to the server from any web-browser.

However, i cant seem to get the authentication right. Everytime i try to connect to the WebSockets Server via Advanced Rest Client (ARC) software, i type wss://localhost:443 or wss://127.0.0.1:443,

Am getting the exception

«System.Security.Authentication.AuthenticationException: A call to SSPI failed, see inner exception. —> System.ComponentModel.Win32Exception: An unknown error occurred while processing the certificate«.

I created the certificate using openssl for windows and created a very simple certificate. Still i cant get the authentication right. Any help?

Here is how am trying to go about it with the C# code

var serverCertificate = new X509Certificate2("E:\TestsFolder\test-cert.pfx", "12345");
var certificates = new X509CertificateCollection { serverCertificate };

Stream stream = tcpClient.GetStream();

SslStream sslStream = new SslStream(stream, false,
                    (o, x509Certificate, chain, errors) => true,
                    (o, s, collection, x509Certificate, issuers) => certificates[0]);

await sslStream.AuthenticateAsServerAsync(serverCertificate, false, SslProtocols.Tls12, false);

WebSocketHttpContext context = await _webSocketServerFactory.ReadHttpHeaderFromStreamAsync(sslStream, source.Token);

What on earth could i be missing?

Here is a shot of my console with the exception

varlamand	#1 Оставлено : 9 августа 2012 г. 18:32:56(UTC)
Статус: Участник Группы: Участники Зарегистрирован: 09.08.2012(UTC) Сообщений: 10	Доброго дня! Выполняю установку ЦР на Windows Server 2008 R2. КриптоПро CSP 3.6 R2 6497 KC2 x64 стоит. Все настройки по руководству. При установке самого ЦР на этапе установки SQL вылезает: В логах выводит следующее: SQL service MSSQL$CPCC started successfully waiting for SQL service to accept client connections Service MSSQL$CPCC started at Thu Aug 09 12:32:04 2012 SQL_ERROR (-1) in OdbcConnection::connect sqlstate=08001, level=-1, state=-1, native_error=-2146893017, msg=[Microsoft][SQL Native Client]SSL Provider: An unknown error occurred while processing the certificate. sqlstate=08001, level=-1, state=-1, native_error=-2146893017, msg=[Microsoft][SQL Native Client]Client unable to establish connection Error Code: -2146893017 Windows Error Text: An unknown error occurred while processing the certificate. Source File Name: libodbc_connection.cpp Compiler Timestamp: Sat Sep 18 20:51:17 2010 Function Name: OdbcConnection::connect@connect Source Line Number: 148 —- Context ———————————————— Connecting to SQL Server ExecuteSqlCommands Originial error was 80090327 (807) cript SqlScriptHlpr Error Code: -2146893017 MSI (s) (C4!64) [12:34:05:812]: Product: Microsoft SQL Server 2005 Express Edition — Error 29515. SQL Server Setup could not connect to the database service for server configuration. The error was: [Microsoft][SQL Native Client]SSL Provider: An unknown error occurred while processing the certificate. Refer to server error logs and setup logs for more information. For details on how to view setup logs, see «How to View Setup Log Files» in SQL Server Books Online. Error 29515. SQL Server Setup could not connect to the database service for server configuration. The error was: [Microsoft][SQL Native Client]SSL Provider: An unknown error occurred while processing the certificate. Refer to server error logs and setup logs for more information. For details on how to view setup logs, see «How to View Setup Log Files» in SQL Server Books Online. <Func Name=’GetCAContext’> <EndFunc Name=’GetCAContext’ Return=’T’ GetLastError=’203′> Doing Action: Do_sqlScript PerfTime Start: Do_sqlScript : Thu Aug 09 12:34:05 2012 Service MSSQL$CPCC with parameters ‘-m SqlSetup -Q -qCyrillic_General_CI_AS -T4022 -T3659 -T3610 -T4010’ is being started at Thu Aug 09 12:34:05 2012 Attempt to start service when it is already running SQL service MSSQL$CPCC started successfully waiting for SQL service to accept client connections Service MSSQL$CPCC started at Thu Aug 09 12:34:05 2012 SQL_ERROR (-1) in OdbcConnection::connect sqlstate=08001, level=-1, state=-1, native_error=-2146893017, msg=[Microsoft][SQL Native Client]SSL Provider: An unknown error occurred while processing the certificate. sqlstate=08001, level=-1, state=-1, native_error=-2146893017, msg=[Microsoft][SQL Native Client]Client unable to establish connection Error Code: -2146893017 Windows Error Text: An unknown error occurred while processing the certificate. Source File Name: libodbc_connection.cpp Compiler Timestamp: Sat Sep 18 20:51:17 2010 Function Name: OdbcConnection::connect@connect Source Line Number: 148 Кто сталкивался с похожей ошибкой, можете помочь?

dedov	#2 Оставлено : 9 августа 2012 г. 19:13:10(UTC)
Статус: Эксперт Группы: Участники Зарегистрирован: 03.04.2008(UTC) Сообщений: 372 Откуда: Россия, г. Белгород Сказал «Спасибо»: 11 раз Поблагодарили: 9 раз в 9 постах	криптопро на сервере ЦР должна иметь серверную лицензию!

varlamand	#3 Оставлено : 9 августа 2012 г. 19:19:33(UTC)
Статус: Участник Группы: Участники Зарегистрирован: 09.08.2012(UTC) Сообщений: 10	dedov написал: криптопро на сервере ЦР должна иметь серверную лицензию! Ага. И имеет. Подробнее пожалуйста, что вы имели в виду.

dedov	#4 Оставлено : 9 августа 2012 г. 19:58:00(UTC)
Статус: Эксперт Группы: Участники Зарегистрирован: 03.04.2008(UTC) Сообщений: 372 Откуда: Россия, г. Белгород Сказал «Спасибо»: 11 раз Поблагодарили: 9 раз в 9 постах	посмотрите еще это

varlamand	#5 Оставлено : 9 августа 2012 г. 20:33:49(UTC)
Статус: Участник Группы: Участники Зарегистрирован: 09.08.2012(UTC) Сообщений: 10	Спасибо, помогло. Импортнул все что было в C:WindowsSystem32CertSrvCertEnroll, помогла установка другого crl. Странно, у меня вместе с веб-сертификатом был crl но почему-то ему был необходим другой.

Быстрый переход
 

Вы не можете создавать новые темы в этом форуме.

Вы не можете отвечать в этом форуме.

Вы не можете удалять Ваши сообщения в этом форуме.

Вы не можете редактировать Ваши сообщения в этом форуме.

Вы не можете создавать опросы в этом форуме.

Вы не можете голосовать в этом форуме.

answered on 26 Oct 2015, 10:36 PM

Hi Eric,

Thanks for the quick reply.

My HTTPS Protocols are set to ‘<client>;ssl3;tls1.0’.

The workaround you suggest is effective — thanks.​

I’ve verified on three separate machines that the upgrade from 4.6.0.2 to 4.6.1.0 results in a System.Security.Authentication.AuthenticationException being raised for the CONNECT request.

Here’s a comparison of the request and result from 4.6.0.2 and 4.6.1.0:

4.6.0.2:

4.6.1.0:

1. Jun 25th, 2019, 06:10 PM

   
   

   #1

   

   Thread Starter

   
   Lively Member
   

   

   ---

   [RESOLVED] An unknown error occured when processing the certificate
   

   Hi All,

   Using WinHTTP Services 5.1 with VB6 on Windows 7 to post data to an (HTTPS) API. My (static) IP address has been whitelisted on the remote host and we are using HMAC tokens to authenticate to the endpoint. Basic code below:

   Code:

   oAPI.setTimeouts 0, 600000, 600000, 600000
   oAPI.Open "POST", sURL, False
   sBody = oXMLDoc.xml
   oAPI.setRequestHeader "mac", sToken
   oAPI.setRequestHeader "Content-Type", "application/xml"
   oAPI.Send sBody

   However on the .Send call we are receiving -2146893017 (80090327) An unknown error occurred while processing the certificate.

   I have tried adding the following options immediately after the .Open call with no success (we still receive the same error message):

   Code:

   oAPI.Option(WinHttpRequestOption_UserAgentString) = "IE11"
   oAPI.Option(WinHttpRequestOption_SecureProtocols) = SecureProtocol_ALL
   oAPI.Option(WinHttpRequestOption_EnableRedirects) = True
   oAPI.Option(WinHttpRequestOption_EnableHttpsToHttpRedirects) = True
   oAPI.Option(WinHttpRequestOption_SslErrorIgnoreFlags) = SslErrorFlag_Ignore_All

   Running IE11, and have confirmed SSL 2.0, 3.0 and TLS 1.0, 1.1 and 1.2 are all enabled.

   Any assistance is (as always) greatly appreciated!

   Best Regards
   Brad

   ---

2. Jun 26th, 2019, 02:47 AM

   
   

   #2

   Re: An unknown error occured when processing the certificate
   

   Try SecureProtocol_TLS1_2 for WinHttpRequestOption_SecureProtocols

   Check out this update too: https://support.microsoft.com/en-us/help/3140245

   cheers,
   </wqw>

   ---

3. Jun 26th, 2019, 09:31 AM

   
   

   #3

   

   Thread Starter

   
   Lively Member
   

   

   ---

   Re: An unknown error occured when processing the certificate
   

   Hi wqweto,

   I have applied the easy fix for registry values as well as added the DisabledByDefault values under the ‘TLS 1.1Client’ and ‘TLS 1.2Client’ and restarted, however I get a variable not defined error when I try to use SecureProtocol_TLS1_2 as the value for oAPI.Option(WinHttpRequestOption_SecureProtocols).

   ---

4. Jun 26th, 2019, 11:32 PM

   
   

   #4

   

   Thread Starter

   
   Lively Member
   

   

   ---

   Re: An unknown error occured when processing the certificate
   

   Got it figured out. Code was fine, was a miscommunication from other side’s technical support. Appreciate the help!

   ---

I used TcpListener and SslStream of c# to set up HTTPS Server, which worked well in the browser, but was not accessible by the simple-http-server project and libcurl project. Error message:

System.IO.IOException: Authentication failed because the remote party has closed the transport stream.
   at System.Net.Security.SslStream.StartReadFrame(Byte[] buffer, Int32 readBytes, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslStream.StartReceiveBlob(Byte[] buffer, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslStream.CheckCompletionBeforeNextReceive(ProtocolToken message, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslStream.StartSendBlob(Byte[] incoming, Int32 count, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslStream.ProcessReceivedBlob(Byte[] buffer, Int32 count, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslStream.StartReadFrame(Byte[] buffer, Int32 readBytes, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslStream.StartReceiveBlob(Byte[] buffer, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslStream.ForceAuthentication(Boolean receiveFirst, Byte[] buffer, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslStream.ProcessAuthentication(LazyAsyncResult lazyResult, CancellationToken cancellationToken)
   at System.Net.Security.SslStream.AuthenticateAsServer(SslServerAuthenticationOptions sslServerAuthenticationOptions)
   at System.Net.Security.SslStream.AuthenticateAsServer(X509Certificate serverCertificate, Boolean clientCertificateRequired, SslProtocols enabledSslProtocols, Boolean checkCertificateRevocation)
   at Sparrow.SparrowServer._loop_process() in F:ProjectSparrowSparrowServer.cs:line 354

The error reporting code is as follows:

var _client = _listener.AcceptTcpClient ();
using (var _ssl_stream = new SslStream (_client.GetStream ())) {
    _ssl_stream.AuthenticateAsServer (m_pfx, false, SslProtocols.Tls, true); // This line of code causes an error
    _ssl_stream.ReadTimeout = _ssl_stream.WriteTimeout = m_alive_http_ms;
    // do others
}

If I don’t use SslStream and just use TcpListener to provide the HTTP service, it will work fine in all environments.

The PFX file for creating the certificate object is an iis file issued by the issuing authority. Without problems, m_pfx object USES ‘var m_pfx = new X509Certificate (_pfx_file, _pwd);’
Method creation.If ‘X509Certificate’ is changed to ‘X509Certificate2’ in the code, then the error message is:

System.Security.Authentication.AuthenticationException: Authentication failed, see inner exception.
 ---> System.ComponentModel.Win32Exception (590615): 上下文已过期，不能再用了。
   --- End of inner exception stack trace ---
   at System.Net.Security.SslStream.StartSendAuthResetSignal(ProtocolToken message, AsyncProtocolRequest asyncRequest, ExceptionDispatchInfo exception)
   at System.Net.Security.SslStream.CheckCompletionBeforeNextReceive(ProtocolToken message, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslStream.StartSendBlob(Byte[] incoming, Int32 count, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslStream.ProcessReceivedBlob(Byte[] buffer, Int32 count, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslStream.StartReadFrame(Byte[] buffer, Int32 readBytes, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslStream.StartReceiveBlob(Byte[] buffer, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslStream.CheckCompletionBeforeNextReceive(ProtocolToken message, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslStream.StartSendBlob(Byte[] incoming, Int32 count, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslStream.ProcessReceivedBlob(Byte[] buffer, Int32 count, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslStream.StartReadFrame(Byte[] buffer, Int32 readBytes, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslStream.StartReceiveBlob(Byte[] buffer, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslStream.ForceAuthentication(Boolean receiveFirst, Byte[] buffer, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslStream.ProcessAuthentication(LazyAsyncResult lazyResult, CancellationToken cancellationToken)
   at System.Net.Security.SslStream.AuthenticateAsServer(SslServerAuthenticationOptions sslServerAuthenticationOptions)
   at System.Net.Security.SslStream.AuthenticateAsServer(X509Certificate serverCertificate, Boolean clientCertificateRequired, SslProtocols enabledSslProtocols, Boolean checkCertificateRevocation)
   at Sparrow.SparrowServer._loop_process(TcpClient _client) in at Sparrow.SparrowServer._loop_process() in F:ProjectSparrowSparrowServer.cs:line 354

[edit: translate to English]

System.ComponentModel.Win32Exception (590615): The context has expired and can no longer be used

There are many posts online listing many different possible causes for these errors, so it’s not possible for this article to encompass all the solutions. These are just solutions to common causes for these errors. If the suggestions listed here don’t work for you, please email support at support@nsoftware.com

DISM /Online /Cleanup-image /ScanHealth
DISM /Online /Cleanup-image /RestoreHealth

Креатив

24.11.21 – 11:25

Есть крипто про 4. Необходимо установить stunnel. Интернет пишет, что он входит в комплект установки. Но там ничего подобного не видно.
Или он всё-таки устанавливается отдельно? Тогда, где его взять?

Garykom

1 – 24.11.21 – 11:28

Креатив

2 – 24.11.21 – 11:37

(1)Мне под винду.

Aleksey

3 – 24.11.21 – 11:40

(2) И?
На скриншоте как раз ссылки под винду и написано что в линуксе это встроено

Креатив

4 – 24.11.21 – 12:04

(3)Ну да. А оно с 4-й версие крипто про работать будет? И файлик подозрительно мелкий всего 89кб.

Garykom

5 – 24.11.21 – 12:05

(4) ты лучше скажи для чего собрался туннель делать

Креатив

6 – 24.11.21 – 12:06

(5)ГИИС ДМДК.

Garykom

7 – 24.11.21 – 12:28

Garykom

8 – 24.11.21 – 12:29

Для настройки клиентской станции необходимо:

1. Скачать приложение для создания TLS-туннеля stunnel.x86/x64 с

сайта https://www.cryptopro.ru/products/csp/downloads

2. Сохранить скаченное приложение в каталоге c:stunnel

3. Запустить командную строку от имени администратора и

выполнить c:stunnelstunnel.x64 -install

4. В каталоге c:windowssystem32 создать файл конфигурации

stunnel.conf со следующим содержимым:

output=c:stunnelstunnel.log

Креатив

9 – 24.11.21 – 16:17

(7)(8)Не читал. Пока тестовый контур пробую запустить. Благодарю за помощь.

BobG

10 – 09.02.22 – 23:13

Здравствуйте. Всё сделал по инструкции. Выдаёт ошибку:

Не удалось запустить службу Stunnel Service на Локальный компьютер
Ошибка 1069: Служба не запущена из-за ошибки входа в систему.

arsik

11 – 09.02.22 – 23:34

(10) Служба от кого запускается?

BobG

12 – 09.02.22 – 23:39

От Администратора

BobG

13 – 09.02.22 – 23:52

Эта ошибка была без пароля. Поставил пароль, Ошибка 1067: Процесс был неожиданно завершён

Сергиус

14 – 10.02.22 – 00:03

(13)Попробуйте переустановить службу.

Builder

15 – 10.02.22 – 00:26

Сергиус

16 – 10.02.22 – 01:35

(15)Есть нормальный хостинг картинок?)

Anchorite

17 – 10.02.22 – 06:25

(13) У вас журналирование настроено? В настройках stunnel.conf проверьте опцию “output” — это путь к лог-файлу. Посмотрите, что там в журнале, выложите сюда вывод.

abfm

18 – 10.02.22 – 07:08

Вопрос как решился с сертификатом? У нас 3 раз бубен и третий раз разный.

Кирпич

19 – 10.02.22 – 08:13

Если туннель запускаете под системной учетной записью, то сертификат должен быть установлен в “Сертификаты локальный компьютер”. Если под другой учетной записью, то в хранилище этой учетной записи. Пароль доступа к контейнеру должен быть сохранен. Сертификат с открытым ключем сохранить на диске и прописать к нему путь в конфиге stunnel. В инструкции всё написано.
Смысл этой байды в том, что stunnel должен иметь доступ к закрытому ключу, который у вас в хранилище. Чтобы иметь доступ к хранилищу пользователя, stunnel должен запускаться от этого пользователя. Пароль от контейнера он спрашивать не умеет, потому пароль должен быть вбит заранее и сохранен (галку там поставить).

abfm

20 – 10.02.22 – 08:58

(19)Да конечно всё по инструкции. Всё от одного пользователя. Сертификат сохранен без ключа. Прописан в конфиге. При старте ругается на сертификат. Где то только в консольной версии работает. Где то как служба. ДМДК пишут об обезличенном сертификате, народ утверждает что такие не выдают для ип (проверить не могу). Чем он лучше не говорят. ЮвелирСофт всё молиться на прямые руки сисадмина и просит 14000 за настройку stunnel.

Errors

• 80090302
• 8009030D
• 8009030E
• 80090304
• 80090308
• 80090325
• 80090326
• 80090327
• 80090331
• 8009035D
• 8009030F and 80090321

This error can occur when the component is using an older version of TLS, but the server requires a newer version. For instance if the component is using TLS 1.0, but the server requires TLS 1.2, you can see this error. Older versions of the components may not have the newer protocols enabled by default. In the current versions TLS 1.2 is enabled by default.

Possible Solutions

• Enable Supported Protocol Versions

  This can be done on any of the components that support SSL by using the SSLEnabledProtocols configuration setting. As an example setting the Icharge component to use TLS 1.2 would look like this

  Please note the documentation linked above is specifically for the current .NET Editions. For other editions or older versions please reference the help file included with the product.

This error is often seen when using PEM keys, and translates to “The credentials supplied to the package were not recognized”.

Possible Solutions

• Translate the PEM file into a PFX file.

  Using OpenSSL, the certificate can be converted with the command:

  openssl pkcs12 -export -passout pass:”” -in cert_key_pem.txt -out cert_key_out.pfx -name “My Certificate”

  Then change the SSLCertStoreType to PFXFile in your code, before setting the SSLCertSubject.

• Ensure the Network Service account has access to “C:Documents and SettingsAll UsersApplication DataMicrosoftCryptoRSA.”
• If using a certificate from a Windows certificate store verify the certificate was imported wit the “Mark this key as exportable” option checked.
• If you are running the components from IIS, ensure that the Application Pool has Load User Profile set to true.

This error translates to “No credentials are available in the security package”.

Possible Solutions

• When using a certificate for client authentication, ensure the certificate’s private keys are accessible.
  The certificate in the Windows certificate store must contain the corresponding private keys, and be marked as exportable.
• Ensure that the current user and administrators have full access to “C:Documents and SettingsAll UsersApplication DataMicrosoftCryptoRSAMachineKeys”.
• Import the certificates directly into both LOCAL_MACHINEPersonal and ADAMPersonal if ADAM is installed.

This error translates to “The Local Security Authority cannot be contacted “.

• This error may to be related to Windows rejecting weak security. Microsoft KB 3061518 explains the issue. To summarize the article, simply set the ClientMinKeyBitLength DWORD value at the following location to 00000200.

  HKLMSYSTEMCurrentControlSetControlSecurityProvidersSCHANNELKeyExchangeAlgorithmsDiffie-Hellman

  After a restart, if this corrects the issue, then it is an indication that the server’s certificate uses a DHE Key length that is too small and should be updated.

• Additional reasons and solutions for this problem are detailed in Microsoft KB 813550

This error translates to “The token supplied to the function is invalid “.

Possible Causes

• The server is using a certificate with an outdated signature algorithm. See this MSDN Article
• The server doesn’t expect SSL over this port.
  Set the SSLStartMode property to sslExplicit.
• FileZilla and other FTP servers require a PROT P command to be sent for the data connection when using implicit SSL.
  Set the UseProtWhenImplicit configuration setting to True.
• The server returns a large number of CA’s in the handshake.

Also see this Knowledge Base article about this error: SSL: Error During Handshake: 80090308

This error translatest to “The certificate chain was issued by an authority that is not trusted.”

The SSL client certificate specified in the request was not accepted by the server. During the SSL handshake the issuer certificates of the SSL client certificate are not included. In Linux the OpenSSLCADir configuration setting must be set to the directory where the hash files exist so the chain is included. In Windows the issuer certs must be in the Personal store. In Java, the issuer certificates are read from the PEM file.

This error translates to “The message received was unexpected or badly formatted.”

Possible Solutions

• This error may also happen if the server and client don’t posses a common supported cipher suite. This can be the case if you’re connecting from Windows XP to a site that has recent/strict security requirements. Here is a list of ciphers supported in XP. Setting UseInternalSecurityAPI to true may help with this error as it supports many newer protocols not supported on older systems.
• Client authentication is required. Ensure that you are loading the certificate correctly.
• The server does not support the SSL Client Hello version being used. Set the SSLEnabledProtocols configuration setting to an appropriate value.
• The server does not support SSL session re-use. You can disable this by setting the ReuseSSLSession and/or ReuseSSLSessionInDI configuration setting to false.
• The server returns SSL handshake packets larger than 16K. This is a CryptoAPI limitation.

In ThreeDSecure, this error is typically related to a problem with client authentication.

This error translates to “An unknown error occurred while processing the certificate.”

This usually means that the server requires SSL client authentication and a new certificate is specified. Check the SSLStatus Event for details.

This error translates to “The client and server cannot communicate, because they do not possess a common algorithm”.

Most commonly, especially with Windows XP/Windows Server 2003, the client is probably old and doesn’t support the newer ciphers required by the server. Here is a list of ciphers supported in XP.

This error translates to “One or more of the parameters passed to the function was invalid.”

Possible Solutions

• Similar to 80090304, this error may to be related to Windows rejecting weak security. Microsoft KB 3061518 explains the issue. To summarize the article, simply set the ClientMinKeyBitLength DWORD value at the following location to 00000200.

  After a restart, if this corrects the issue, then it is an indication that the server’s certificate uses a DHE Key length that is too small and should be updated.

• The below Windows updates have been known to cause the issue:
  • KB3172605
  • KB3175024
  • KB3177186
  • KB3184122
  • KB3185911
• Additional reasons and solutions for this problem are detailed in Microsoft KB 813550

These errors are known to occur on Windows 8.1 and Windows Server 2012 R2 when using TLS 1.2 and one of the following cipher suites:

• TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
• TLS_DHE_RSA_WITH_AES_256_GCM_SHA384

The aforementioned versions of Windows have a bug in their internal security implementations which, under very specific circumstances, can produce either the 0x80090321 (SEC_E_BUFFER_TOO_SMALL) error or the 0x8009030F (SEC_E_MESSAGE_ALTERED) error.

Due to the nature of the issue, we cannot provide a direct fix. However, you can work around these errors by doing one of the following things:

• Use our internal security API by passing the string “UseInternalSecurityAPI=True” to the Config() method. Our internal security API does not rely on the Windows security APIs, so it is not affected by the bug.
• Disable the two cipher suites mentioned above
• Disable support for TLS 1.2
• Upgrade your machine to a newer version of Windows

We appreciate your feedback.  If you have any questions, comments, or
suggestions about this entry please contact our support team at
kb@nsoftware.com.